Brian Croteau is Chief Auditor at PricewaterhouseCoopers U.S. and a member of the Public Company Accounting Oversight Board’s Standards and Emerging Issues Advisory Group. Views are the author’s own.
Twenty-two years ago, Congress enacted the Sarbanes-Oxley Act — the landmark legislation that created the foundation for the modern corporate financial reporting and auditing landscape, as well as developing the Public Company Accounting Oversight Board to oversee the audits of U.S. companies. Since that time, the business environment has changed dramatically, requiring the audit profession to respond to a wide range of stakeholders’ needs and expectations.
Ultimately, auditors serve an important role that contributes to confidence in the financial information provided by public companies, which help drive our capital markets. This is not a responsibility that we, as auditors, take lightly. That is why we have continued to take proactive actions since the inception of SOX to enhance confidence, respond to emerging and evolving risks, and provide clarity around the auditor’s role.
For that reason, meaningful, but appropriately measured, changes to auditing standards and regulations are important to the strength of capital markets and to the investor community, and that's why a new standard put forth by the PCAOB deserves close attention.
In June 2023, the PCAOB proposed a new auditing standard related to a Company’s Noncompliance with Laws and Regulations that would significantly alter the audit landscape. On March 6 of this year, I participated in a roundtable held by the PCAOB to seek further feedback on the proposed standard from a range of stakeholders.
As discussed during the roundtable, the NOCLAR auditing standard would expand auditors’ scope of work dramatically: the rule as proposed would impose on auditors greatly expanded responsibilities for identifying — or even preventing — noncompliance with a very wide range of laws to which a company is subject.
This is in contrast to current standards today, where auditors focus on laws and regulations that have a direct and material impact on a company’s financial statements — for example, those relating to income taxes and pensions. Where noncompliance with other types of laws and regulations comes to our attention, we perform further procedures related to the matters identified, because they could indirectly affect the financial statements through fines or other penalties.
Auditors also closely assess matters related to the company’s accounting for loss contingencies and related disclosures. To illustrate how this approach works under the current standard, take the case of a fictional electronics manufacturer. Today, that manufacturer’s financial statements and disclosures are subjected to procedures to obtain reasonable assurance of detecting illegal acts that would have a direct and material effect on the determination of financial statement amounts, such as a law imposing federal corporate income taxes.
It would be reasonable for the PCAOB to adopt a rule expanding the auditor’s responsibilities by requiring us to perform additional risk-based procedures related to those laws and regulations that are central or critical to a company’s operations. In the example of the electronics manufacturer, these related laws might apply to the sourcing of materials or compliance with waste disposal standards, both of which could have a material impact on its financial reporting.
But, is it similarly reasonable for the PCAOB to adopt a rule that would require the auditor of the electronics manufacturer to assess whether the company is in compliance with foreign regulations on office remodeling permits? While this may seem an extreme example, given the thousands of laws and regulations to which any company is subject, it’s important the auditor’s role be well-defined and closely tied to reliable financial reporting.
NOCLAR risks transforming the independent auditor's role of providing an opinion based on reasonable assurance that the financial statements are presented fairly into one of a compliance officer. Because that is a role that rests squarely with company management, the proposal has the potential to jeopardize auditor independence.
For CFOs of public companies, as proposed, the NOCLAR rule would lead to a marked increase in costs that likely far outweigh benefits, as well as having unintended consequences such as adding further complexity to privilege considerations and management of interactions with both internal and external counsel. Such matters could ultimately complicate, and in some ways conflate, CFO, audit committee and external auditor responsibilities.
We recognize the objective of the PCAOB's proposed rule is to address concerns about risks to investors from companies' noncompliance, and we see the potential benefits of updating the standard to continue to enhance quality and promote a better understanding of the auditor's role.
But, as written, the board's NOCLAR proposal will benefit from revisions, as the approach proposed would likely, even though unintentionally, contribute to misunderstanding of the role of auditors related to instances of noncompliance by companies. We have shared ways to approach the issue that are better suited to the function of auditors in contributing to the reliability of financial information and the capital markets.
As the PCAOB considers changes, we all must keep investor needs at the forefront, designing standards for audit services for them that provide a commensurate benefit to the costs they will bear. Where regulators issue rules without sufficient buy-in from across-market participants as to their value, they risk creating conflicting expectations, which could undermine the trust that is a distinguishing strength of our financial reporting system.
The PCAOB's focus on investor protection is important — for market stakeholders, the health of our capital markets, and the future of the independent audit. And yet, significant regulatory changes requiring auditors to perform compliance audits over a wide range of laws and regulations that do not directly impact a company’s financial statements risks increasing the cost, complexity and timeliness of audits and surely would not provide a commensurate beneficial improvement to investor protections.
Auditors know that our work is part of the fabric of trust upon which American capital markets operate. Our ability to contribute to that trust relies on our focus on relevant risk, independence and objectivity. I welcome measured steps forward that carefully balance costs and benefits and are scalable to audits of companies of all sizes and complexity.